Catelites is new version of the banking trojan CronBot, linked to the Cron cybercriminal group, of which many members were arrested by Russian authorities in May 2017. Catelites shares many similarities with its predecessor, using sophisticated social engineering tactics to convince users into divulging their banking information. Researchers have observed one or two malicious apps per week targeting Android devices with the Catelites malware. The malware is installed onto the device after a malicious app is downloaded from a third-party app store, from a malvertisement, or from a phishing site. Once downloaded, an app icon with the image of a shield like that of an antivirus program and is titled "System Application" appears on the device homescreen. When this icon is clicked, it asks for admin rights and, if those are granted, the icon disappears and is replaced by three familiar-looking apps claiming to be "Gmail," "Google Play," and "Chrome." If the user opens any of these applications, an overlay screen appears requesting payment information, such as a credit card number. In addition, the malware is able to pose as over 2,200 different bank and financial institutions. Once a user opens their banking app, the malware activates and places an overlay screen on the app in order to trick the user into providing account usernames and passwords or bank card numbers. Additional functions that have not yet been activated for the malware include: intercepting incoming and outgoing SMS texts, setting ringer and stream volume to mute, and retrieving all running processes from other apps. It can also persistently ask for specific admin rights that could wipe data from the device or lock the user out of the device.

Technical Details

  • Avast provides technical analysis of Catelites here.

UPDATE 6/19/2019: Cron is no longer strictly an Android malware. Crypto-mining malware has been observed proliferating on Linux hosts by dropping Cron on compromised devices to ensure reinfection after malware is removed. The miner is downloaded by using a Bash script,, during the initial infection stage. Researchers are unsure of the entry method of infection, but assess that unpatched vulnerabilities, brute force, or phishing may be to blame.

  • Sucuri researchers provide technical information here.